qcombbdbg

Debugger for the Qualcomm baseband chip MSM6280.

DEPENDENCIES

  • GNU ARM compilation toolchain.
  • Cross-compiled GDB for ARM.
  • Ruby interpreter.

DIRECTORIES

  • src/preloader: Simple stager payload to speed up the debugger injection.
  • src/qcombbdbg: Debugger sources.
  • scripts/tools/dbgupload.rb: Uploads the debugger into volatile memory.
  • scripts/tools/gdbproxy.rb: Proxy to interface GDB with the live debugger.

SUPPORTED DEVICES

  • Option Icon 225, firmware revision 2.5.13Hd
  • Option Icon 225, firmware revision 2.5.21Hd
  • Option Icon 225, firmware revision 2.5.23Hd

USAGE

  1. Compile preloader.bin and qcombbdbg.bin images (e.g make MODEL=2.5.13Hd).
  2. Plug the USB stick, 3 emulated serial ports should appear (under Linux, requires the hso module).
  3. Go to scripts/tools and run: ruby dbgupload.rb /dev/ttyHS2
  4. On success, run: ruby gdbproxy.rb tcp:1234 tty:/dev/ttyHS2
  5. Fire GDB, and load the .gdbinit file provided in the root folder.
  6. Type: connect 1234, GDB will connect to the proxy and will import the list of threads.

RANDOM NOTES

This is still very experimental.

REX creates a fake idle task named 'REX Idle Task' (Task #1). This task is actually never scheduled, so you cannot break it, nor step into it. The real idle task is called 'SLEEP'. At startup, GDB will automatically attach to a thread and stop it. The debugger forces GDB to attach to the fake idle task, so the system will still be fully running.

In non-stop mode, GDB will execute commands in the current thread context. If you want to change the current thread, use the command thread <num>. The first thing you might want to do is to interrupt the watchdog task.

For example:

(gdb) thread find DOG

Thread 68 has extra info 'DOG           [wait: 0x00006800; active: 0x00000000]'



(gdb) thread apply 68 interrupt

Thread 68 (Thread 68):

[Thread 68] #68 stopped.

Displaced stepping is disabled for the moment (as of GDB 7.3.1, Thumb is not supported). Consequently, do not try to single-step or put breakpoints into heavily used system functions (like memcpy, rex_wait, rex_set_signals, and so on). If the DIAG task or the USB task encounters an exception, the debugger won't be able to handle it.

Project Information

The project was created on Jan 10, 2012.

Labels:
Baseband Debugger Qualcomm Embedded